Hello, I created a GPO Roaming Profiles redirection in my AD as shown on this page (https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#The_Windows_Roaming_Profile_Versions). The data are stored in a sharing file server (samba member domain). When I open a windows user session it doesn't work. Event observer says "Access denied". So I changed 'chmod 1750 /srv/samba/profiles/' for 'chmod 1770' and it works. Finally, is it a mistake on the Wiki ? Or should I do otherwise ?
Hai, I think you missed the part in the link: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#The_Windows_Roaming_Profile_Versions This part: Setting up the Share on the Samba File Server Using Windows ACLs To create a share, for example, profiles for hosting the roaming profiles on a Samba file server: Create a new share. For details, see Setting up a Share Using Windows ACLs. Set the following permissions: Where "Setting up a Share Using Windows ACLs" links to : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Where 770 is used ;-) But at least you are reading the wiki... So keep doing that. :-) I'll get there, your change is ok. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Tom via samba > Verzonden: dinsdag 18 juni 2019 16:59 > Aan: sambalist > Onderwerp: [Samba] Roaming Profiles > > Hello, > > I created a GPO Roaming Profiles redirection in my AD as > shown on this > page > (https://wiki.samba.org/index.php/Roaming_Windows_User_Profile > s#The_Windows_Roaming_Profile_Versions). > The data are stored in a sharing file server (samba member domain). > > When I open a windows user session it doesn't work. Event > observer says > "Access denied". > > So I changed 'chmod 1750 /srv/samba/profiles/' for 'chmod > 1770' and it > works. > > Finally, is it a mistake on the Wiki ? Or should I do otherwise ? > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 18/06/2019 15:58, Tom via samba wrote:> Hello, > > I created a GPO Roaming Profiles redirection in my AD as shown on this > page > (https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#The_Windows_Roaming_Profile_Versions). > The data are stored in a sharing file server (samba member domain). > > When I open a windows user session it doesn't work. Event observer > says "Access denied". > > So I changed 'chmod 1750 /srv/samba/profiles/' for 'chmod 1770' and it > works. > > Finally, is it a mistake on the Wiki ? Or should I do otherwise ?It looks like your user is possibly unknown to the OS, but your group (Domain Users ??) isn't and you have now given the group write access to the profile. Can you post the smb.conf from the server holding the profiles. Rowland
On 18/06/2019 16:08, L.P.H. van Belle via samba wrote:> Hai, > > I think you missed the part in the link: > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#The_Windows_Roaming_Profile_Versions > This part: > Setting up the Share on the Samba File Server > Using Windows ACLs > To create a share, for example, profiles for hosting the roaming profiles on a Samba file server: > > Create a new share. For details, see Setting up a Share Using Windows ACLs. Set the following permissions: > > Where "Setting up a Share Using Windows ACLs" links to : > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > Where 770 is used ;-) > > But at least you are reading the wiki... So keep doing that. :-) > > I'll get there, your change is ok. >Hi Louis, do you let your users have access to everybody else's roaming profiles ? Rowland
Gooooood morning Rowland, :-)
Thunder and rain here.. Your pushing rain to me from england ;-) :-p
Yes, if you count administrator also to everybody. ;-)
What i have on my member server. ( AD backend )
install -d /home/samba/profiles -m 1770 -o root -g root
[profiles]
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
drwxrwx--T+ 103 root root 4096 Jun 14 16:25 profiles
getfacl /home/samba/profiles/
# file: home/samba/profiles/
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---
Resulting in the profiles/username.vX folder to username and SYSTEM
Administrator (and domain admins) has access also, through root/administrator
mapping,
but normal users can see the other users folder but can not access it.
Share security, just the default, to everyone, folder rights handles everything
else.
That where the domain users comes in.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: dinsdag 18 juni 2019 17:15
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Roaming Profiles
>
> On 18/06/2019 16:08, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > I think you missed the part in the link:
> >
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> #The_Windows_Roaming_Profile_Versions
> > This part:
> > Setting up the Share on the Samba File Server
> > Using Windows ACLs
> > To create a share, for example, profiles for hosting the
> roaming profiles on a Samba file server:
> >
> > Create a new share. For details, see Setting up a Share
> Using Windows ACLs. Set the following permissions:
> >
> > Where "Setting up a Share Using Windows ACLs" links to :
> >
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> > Where 770 is used ;-)
> >
> > But at least you are reading the wiki... So keep doing that. :-)
> >
> > I'll get there, your change is ok.
> >
> Hi Louis, do you let your users have access to everybody
> else's roaming
> profiles ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hello, there is still something that does not work: Sometimes, when session is open, there is an error about user profile : "Problem with your local profile. Your session was opened unsing yuour local profile saved previously". In the Event Observer, I can see this error : the process cannot access the file because it is being used by another process But wich file ? No idea... This is not indicated Le 19/06/2019 ? 14:36, Tom a ?crit?:> Hello Rowland, > > Actually chmod is set to 1770 just for /srv/samba/profiles folder : > > drwxrwx--T?? 4 root DOMAIN\domain users? 4096 18 juin? 17:30 profiles > > Then, when a w7 user session is open, user.V2 is automatically created > with this rights : > > drwxrwx---+ 14 DOMAIN\utest?? BUILTIN\administrators 4096 18 juin > 17:21 utest.V2 > > Only this user can access to this directory. I tested with another : > no access. > > This is profiles part of my smb.conf : > > ------------------------------------------ > [profiles] > comment = Profils Utilisateurs > path = /data/profiles/ > browseable = no > read only = No > force create mode = 0600 > force directory mode = 0700 > csc policy = disable > store dos attributes = yes > vfs objects = acl_xattr > ------------------------------------------ > > is it working properly for you ? > > > Le 18/06/2019 ? 17:11, Rowland penny via samba a ?crit?: >> On 18/06/2019 15:58, Tom via samba wrote: >>> Hello, >>> >>> I created a GPO Roaming Profiles redirection in my AD as shown on >>> this page >>> (https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#The_Windows_Roaming_Profile_Versions). >>> The data are stored in a sharing file server (samba member domain). >>> >>> When I open a windows user session it doesn't work. Event observer >>> says "Access denied". >>> >>> So I changed 'chmod 1750 /srv/samba/profiles/' for 'chmod 1770' and >>> it works. >>> >>> Finally, is it a mistake on the Wiki ? Or should I do otherwise ? >> >> It looks like your user is possibly unknown to the OS, but your group >> (Domain Users ??) isn't and you have now given the group write access >> to the profile. >> >> Can you post the smb.conf from the server holding the profiles. >> >> Rowland >> >> >> >
Mandi! Tom via samba In chel di` si favelave...> there is still something that does not work: Sometimes, when session is > open, there is an error about user profile : "Problem with your local > profile. Your session was opened unsing yuour local profile saved > previously". > In the Event Observer, I can see this error : the process cannot access the > file because it is being used by another process > But wich file ? No idea... This is not indicatedI've spotted the same things; frequentlu happen when you do some 'too quick' logoff/logon (even on the same PC). Some months ago i've posted that: https://lists.samba.org/archive/samba/2019-April/222398.html For me, it is the same root cause: newer samba (or newer windows? ;-) doesn't close some files, and so on subsequent logon that files are ''locked''. Lowering the TCP 'socket options' helped, anyway. With: socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15 effectively logon trouble happen if a user do a logoff/logon between 5 minutes. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)